General Security Advice and Best Practices

Article
1/17/2024

First of all, from a global perspective, please keep in mind the 10 immutable laws in security), and also the 10 immutable laws of security administration.

Now, since security can and should be at different layers, this article aims to put all together best practices to implement IT security, at operational level. You may not want, or can, implement all of those layers of security, thus we highly recommend you to consider security management through risk assessment and management. Please refer to: http://www.microsoft.com/en-us/download/details.aspx?id=6232 to know more about our Security Risk Management guide.

In order to identify the current threat landscape, assess the corresponding risks and take appropriate actions, we suggest you to have a look at the SIR (Security Intelligence Report) ; which may also help you in defining priorities in your risk management approach.

Then, let's go into deeper details. The idea here is to list security layers that can be leveraged in a Defense in Depth view (DiD).

General security equipments and architectures

Network

Update the network inventory of your park, on a regular basis. SCCM discovery features might help you to do so (see: http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_NetworkDisc ). Link assets to their business managers owners, being also responsible for them.
Implement network isolation, DMZ / LAN, make sure there is no direct access to your internal (LAN) machines from Internet, as well as protocol filtering between DMZ and DMZ/LAN. There should always be a flow disruption between flows from untrusted network, to trusted ones. Do not forget Wireless networks, and guests networks (isolated if possible from critical/confidential networks).
Enforce Internet security through HTTP proxy filtering. You might want to have a look at the MAPP partners list.
Enhance Messaging filtering (MTA/MDA). FOPE, FPE could be examples, or you might want to have a look at the MAPP partners list: www.microsoft.com/security/mapp/
Enhance network security thanks to Network Intrusion Detection Systems, and isolation. You might want to have a look at the MAPP partners list: www.microsoft.com/security/mapp/
Protect web apps by reverse proxy/Web App Firewall. Forefront UAG could be an example of such a solution.

Tooling

Make sure antivirus running on ALL connected machines, fully up to date. SCCM could be helpful for such a task (inventory, deployment, policies enforcement...). A enterprise's grade antivirus can , one that has got a global console. Please also read the Virus scanning recommendations for enterprise computers: http://support.microsoft.com/kb/822158. We also recommend you to mind the network shares: any equipment (even non Windows) that is accessible through SMB protocol (from client side), should be locally secured, ie with an antivirus engine that runs on the server side.
deploy a clean-up tool on a regular basis, something such as the Malicious Software Removal tool (deployable through WSUS, see: http://support.microsoft.com/kb/891716 be aware that MSRT belongs to the "update rollup" classification, to be selected for WSUS sync), or any other third party equivalent tool. This kind of tools aims to clean the machines: no real-time protection, just an exefile to run as local admin. MSRT is said to be compatible with most of third party AV solutions.

Patch management

Implement security patch management (deploy all applicable security fixes, not only Microsoft ones) and administrative policies enforcement, on any machine connected to the LAN. SCCM/GPMC may help to lower the burden. Manage which computers can connect by VPN to your LAN. Make them follow the same security assessment. System Center might be a solution, eg with System Center Update Publisher and/or through third party custom catalogs for Configuration Manager 2007 (see: http://technet.microsoft.com/fr-fr/systemcenter/bb892875.aspx)

Identity Management

Regarding user accounts management: prefer nominative accounts (not generic ones), try to reduce the use of built-in generic administrator accounts (like "administrator", that is quite commonly hardcoded in attack tools) so at least rename them.
Enforce password complexity through AD GPO (see: https://technet.microsoft.com/en-us/library/hh994571(v=ws.11).aspx); CSS Sec recommends the length of password to be 15 characters long at minimum. Keep an eye on service accounts, that have high privileges, locally or on the domain: change their password on a regular basis.
Above all, make sure there is a process in place to disable then remove (above desired logs retention time) old/unused user accounts.
The best thing would be to implement an IAM solution, such as Forefront Identity Manager (http://www.microsoft.com/en-us/server-cloud/forefront/identity-manager.aspx) or any other third party equivalent one, to take care of an automated, codeless user provisioning and deprovisioning.
Lower privileges that users have locally: they should not be local admin if they don't really need to be (very dangerous because malwares will spread quite easily and may take complete control of machines)
Follow best practices for administration: use Kerberos authentication (type 3 network logon) and solutions like WinRM, or remote powershell, to remotely adminstrate machines, while also protecting data and credentials. Limit the use of domain administrator accounts to open RDP sessions on workstations.

NB: using PsExec with "-u" parameter will send password in plain text over the wire, as TechNet states.
Secure/audit Active Directory: Please keep in mind that AD security model is at forest level, therefore AD security isolation can't only be achieved at forest level. Implement AD isolation through forests (at least, in DMZ, and even for admin workstations): http://technet.microsoft.com/en-us/library/cc770331(v=ws.10).aspx
Don't forget the administration delegation issues: http://social.technet.microsoft.com/wiki/contents/articles/463.design-considerations-for-delegation-of-administration-in-active-directory-en-us.aspx#Delegating_Administration_with_Forests_Domains_and_Organizational_Units

Harden local admin passwords, above all if you deploy Windows thanks to operating system images techniques: consider using the LAPS solution to generate unique passwords (but still centrally managed!): https://technet.microsoft.com/en-us/library/security/3062591.aspx

Device management

Manage smartphone risks as if they were regular laptops (with Wireless connection, USB cable, and also 3G). Make sure you have got a centralized solution to manage them. You might want to have a look at the System Center 2012 Configuration Manager: http://blogs.technet.com/b/server-cloud/archive/2012/09/10/system-center-2012-configuration-manager-sp1-beta-and-windows-intune-update.aspx or any equivalent solution from the MAPP.

Data protection

Consider deploying 64 bits systems in priority over those 32 bits, because 64 bits Windows systems embed more security features by default compared to their 32bits equivalent. Note that for instance, ASLR is said to be more efficient on 64bits systems, and DEP is hardware assisted on those platforms (starting with Vista).
Encrypt (cypher) system partitions AND data partitions, using EFS or BitLocker for instance. For removable media, BitLocker To Go might be a solution.
Use strong authentication protocols: our recommendation is Kerberos. In all cases (not only if have business requirements for NTLMV2), please consider NTLM hardening (Extended Protections): http://technet.microsoft.com/en-us/security/advisory/973811, since Kerberos pre-auth phase may rely on NTLM. Note that NTLMv1 and LM should be forbidden in any cases.
Mind CRL (Certificate Revocations Lists) checking over the wire, you might then want to open the IP addresses within your perimeter firewall rules. Should you require further information about CRL prerequisites and mechanisms, please refer to the following article: http://social.technet.microsoft.com/wiki/contents/articles/2303.understanding-access-to-microsoft-certificate-revocation-list.aspx. Last but not least, this is about Microsoft's CRL, but third party vendors may also have got URL for CRL checking!

Monitoring & Audit

Regarding Audit: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
Monitor domain user accounts activity: http://social.technet.microsoft.com/wiki/contents/articles/11302.clarifying-things-regarding-domain-account-password-and-lockout-policy-operational-monitoring.aspx
Ensure relevant traceability, taking into account the potential business requirements you may face. You might want to refer to NIST SP 800-92 to know more about security log management. Back-up the logs. Keep in mind the need of events correlation between equipments and systems, to be able to investigate one security incident.
Audit your IT security level on a regular basis. At least, use a tool like Baseline Security Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=7558), and if possible, leverage the Security Compliance Manager (http://technet.microsoft.com/en-us/library/cc677002.aspx).

Incident response

Implement a CERT/CSIRT, to provide at least security watch service and incident response suited to your business requirements. Should you require further info about the basics of security investigation, we recommend you to read: http://technet.microsoft.com/en-us/library/cc162832.aspx, and regarding CSIRT, read: http://technet.microsoft.com/en-us/library/cc700825.aspx.

Appendix and references

Microsoft Security

Availability and integrity

Have a look at the following documents:

Antivirus exclusions policies,

Please have a look at the following articles:

Kerberos:

on Win 2003, during Kerberos pre-auth stage, error defaulting to RC4 (instead of AES) (see here)

Remote admin:

WinRM
WinRS

Security and 64bits versions of Windows systems, and differences of implementations :

Security monitoring:

Should you require further information about security hardening, you should read this article: http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Share via